Why is the Security Team trying to trick us? – The #1 Pitfall of Employee Phishing Assessments

Many organizations are now starting to do internal employee phishing assessments to determine how vulnerable their team is to targeted phishing attacks. This is because phishing is one of the primary ways that ransomware makes its way into corporate networks - through emails targeted at employees who click on links or attachments. Your IT Security team can assess your organization's vulnerability in this area by simulating attack emails, but with harmless links or attachments that can provide feedback to IT Security.
But when your IT Security team undertakes an employee phishing assessment initiative, there are many subtle decisions that must be made that can have in impact not only on the validity of the results, but on employee morale and trust. So, I'm creating a list of dangerous pitfalls to be avoided when implementing an employee phishing assessment program. Not fully considering the employees' responses to these emails is probably the easiest landmine to step on, which can cause serious employee backlash, and put the program in jeopardy. Here's the problem and the solution.

Many organizations are now starting to do internal employee phishing assessments to determine how vulnerable their team is to targeted phishing attacks. This is because phishing is one of the primary ways that ransomware makes its way into corporate networks – through emails targeted at employees who click on links or attachments. Your IT Security team can assess your organization’s vulnerability in this area by simulating attack emails, but with harmless links or attachments that can provide feedback to IT Security.

But when your IT Security team undertakes an employee phishing assessment initiative, there are many subtle decisions that must be made that can have in impact not only on the validity of the results, but on employee morale and trust. So, I’m creating a list of dangerous pitfalls to be avoided when implementing an employee phishing assessment program. Not fully considering the employees’ responses to these emails is probably the easiest landmine to step on, which can cause serious employee backlash, and put the program in jeopardy. Here’s the problem and the solution.

Consider the fact that employees are already bombarded with a lot of either risky, irrelevant or useless email every day. It’s already difficult, at times, for them to sift through all their email to find the messages worth taking action on. Many of them know that SPAM filters are in place, and some recognize that these filters don’t always work well. So, as a result, they get irrelevant messages in their inbox, which they’ve learned to ignore… or have they?

There’s a fine line between SPAM and phishing emails that are targeted. So, employees first need to realize that not all SPAM looks irrelevant. In fact, targeted phishing messages can look very legitimate, on the surface. So, many organizations issue warnings or guidance to employees on how to recognize phishing emails. It’s just a fact of life, and we may assume that employees are doing their best following guidelines provided to them.

In reality, the typical guidance provided to employees is sometimes not enough, because a well-crafted phishing message can fool almost anyone. But employees may not realize that, even if they are following the guidelines they’ve been given for recognizing dangerous emails, they can still become a victim. So, if your IT Security Team were to start sending phishing emails that look legitimate, with very few clues that they are not real, then employees who receive them will get frustrated when they find out they’ve been tricked. After all, either they weren’t warned ahead of time, or the guidelines were probably too hard for most people to remember.

The first reaction of employees who are told they’ve clicked on a dangerous link in an email might be to complain to management that they are being tricked by the IT Security Team. They may also complain to Human Resources that they are being unfairly targeted with messages that waste their time and make them look bad. In this case, the IT Security Team will have to go on the defensive and redefine the phishing assessment program, to ensure that staff are informed of the test.

The solution is in planning the Employee Phishing Assessment program properly up-front

Before your IT Security Team sends its first phishing assessment message, it should have a well thought out plan that includes consideration for how employees will be informed of the program, and how their performance will be measured and reported. Treating employees with respect goes a long way in gaining their support for the program.

Informing employees about a phishing assessment program should start with a briefing on why phishing messages are so dangerous, the damage they can cause, and the dirty tricks that attackers play to get you to take actions that could cause damage to corporate computers and networks. Once your team realizes that phishing messages are one of the most dangerous threats to information security that they face on a daily basis, they can start to understand the need to ensure that they know how to recognize them.

Your IT Security Team can explain that phishing assessment messages that employees receive will be potentially tricky, but fair. Each message will include recognizable elements from the guidelines they’ve been given, so employees have an expectation of being able to pass the test with the information they’ve been given. Then, as the team as a whole improves in recognizing common phishing tactics, the guidelines can be refined, and employees informed that the tests will be getting more difficult; all in order to make sure they are prepared to handle the latest types of attacks.

This means it will take some time to develop a mature employee phishing assessment program. But that program will be based on mutual respect and collaboration. Eventually, employees may begin to suggest improvements to the program, rather than complaining about being unfairly harassed by the IT Security Team.

This example is just one potential pitfall, and represents just one element of the planning that should be put into an employee phishing assessment program. Please contact us if you have any questions, or need help in setting up an employee phishing assessment program in your organization. We can provide a free assessment for up to 100 employees, and can also manage the entire process of planning, implementation and reporting on your employee phishing assessments on an annual basis for a very affordable price. We can help your IT Security Team avoid the pitfalls inherent in launching an ad-hoc employee phishing assessment initiative.